Authentication in IBM Websphere Portal

Question

I'm involved in an Java Web Application Migration project to IBM Websphere Portal (IBM WP) Platform.

The actual application in production environment validates manually user credentials (username and password) against a Database Table that stores the data. I understand that the idea behind a Portal application is that the Portal Container handles this Security issues, but I'm not sure how IBM WP can consume the credentials that now are on Database.

There's a brand new Tivoli Directory Server in the Company, and I'm aware that I can't connect IBM WP to this LDAP Server so, do I need to migrate every user in the Database to this LDAP Server, or there's a Way that Tivoli recognize the credentials that are on the database?

score 2 · Answer 1 · answered Aug 09 '12 at 15:44

2

Trust Association Interceptor are powerful, but they totally override Websphere Authentication mechanisms, so be sure to write a quite robust one! As Carlos Gavidia suggested, I'd also give a look to Custom User Registry. I'd also suggest to consider Property Extenstion Repository (also know as Lookaside), so you can define your own attributes and read/write them directly from Portal API

http://www-01.ibm.com/support/docview.wss?uid=swg21248674

answered Aug 09 '12 at 15:44

Francesco De Collibus

51
3

I have a doubt. Is it possible to access WebSphere Datasources from the Custom Registry? Or my database connections must be done with plain JDBC? – Carlos Gavidia-Calderon Oct 15 '12 at 16:38

score 1 · Accepted Answer · answered Jul 16 '12 at 21:27

1

You can hook in any kind of custom authentication you need using a Trust Association Interceptor. Your custom authenticator would probably work a lot like the authentication code in your existing system. It would display a page prompting the user for their credentials, and then check them against the DB.

I'm not sure how this relates to your Tivoli LDAP, but there seems to be a provided TAI for TAM integration: Tivoli Access Manager Trust Association Interceptor (TAI++)

answered Jul 16 '12 at 21:27

Malcolm Smith

3,540
25
29

I use WAS7 + Portal 6.1.5 so I can't say from my experience, but I think its unlikely that IBM would have removed it. The TAI system is part of WAS not Portal, so it really depends on the WAS version you are running. It's certainly part of WAS7, which I imagine you are using if you're on Portal 7. – Malcolm Smith Jul 19 '12 at 15:14
And how about Custom User Registrys? Have you tried that? http://www.ibm.com/developerworks/websphere/library/techarticles/0212_bourgeot/0212_bourgeot.html – Carlos Gavidia-Calderon Jul 19 '12 at 15:34
Nope, sorry, never used that. – Malcolm Smith Jul 19 '12 at 15:52
An additional question: If I use a TAI in WP that means that I don't need a User Registry at all? – Carlos Gavidia-Calderon Jul 23 '12 at 02:07
No, I think you do still need a user registry for Portal. The TAI will handle the authentication, setup the JAAS subject and get WebSphere to issue an LTPA token etc, but I think Portal has a hard requirement for a registry of some kind, so the user will need to exist there as well. – Malcolm Smith Jul 23 '12 at 20:54

Authentication in IBM Websphere Portal

2 Answers2